3) Expect increased awareness of external threats and less emphasis on insider threats. Maybe this is just wishful thinking, but the recent attention on botnets, malware professionalization, organized criminal cyber enterprises, and the like seems to be helping direct some attention away from inside threats. This may be premature for 2008, but I expect to see more coverage of outsiders again.
Today I saw the SANS Top Ten Cyber Security Menaces for 2008. (I thought using the term "menace" neatly sidesteps trying to classify these items using traditional terms, since the list mixes threats, attacks, tools, and so on.) Here is the "consensus list," according to 12 "cyber security veterans," in ranked order:
- Increasingly Sophisticated Web Site Attacks That Exploit Browser Vulnerabilities - Especially On Trusted Web Sites
- Increasing Sophistication And Effectiveness In Botnets
- Cyber Espionage Efforts By Well Resourced Organizations Looking To Extract Large Amounts Of Data - Particularly Using Targeted Phishing
- Mobile Phone Threats, Especially Against iPhones And Android-Based Phones; Plus VOIP
- Insider Attacks
- Advanced Identity Theft from Persistent Bots
- Increasingly Malicious Spyware
- Web Application Security Exploits
- Increasingly Sophisticated Social Engineering Including Blending Phishing with VOIP and Event Phishing
- Supply Chain Attacks Infecting Consumer Devices (USB Thumb Drives, GPS Systems, Photo Frames, etc.) Distributed by Trusted Organizations
I've written before that I am not a big fan of expert opinions, but this is a generic list that does not try to "measure risk" for a particular organization. I still prefer alternatives, but I find it fascinating that the big bad insider is listed as number 5. Every other item is arguable an outsider problem, as my prediction stated. The first three are absolutely outsider-based. I take all of this as a good sign that the tide is turning (again).